Description
Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2906996
Scores
CVSS v3
8.1
EPSS
0.0017
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-862
Status
published
Products (13)
sap/erp_\(ea-finserv\)
600
sap/erp_\(ea-finserv\)
603
sap/erp_\(ea-finserv\)
604
sap/erp_\(ea-finserv\)
605
sap/erp_\(ea-finserv\)
606
sap/erp_\(ea-finserv\)
616
sap/erp_\(ea-finserv\)
617
sap/erp_\(ea-finserv\)
618
sap/erp_\(ea-finserv\)
800
sap/erp_\(s4core\)
101
... and 3 more
Published
Jun 10, 2020
Tracked Since
Feb 18, 2026